Exposing the Internet-Connected Infrastructure of a Spam Domains Portfolio - An OSINT 
Analysis 
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We've decided to profile and offer actionable intelligence on a currently active portfolio 
of spam domains with the idea to assist the security community on its way to properly 
track down monitor and profile the cybercriminals behind these campaigns. 


Sample domains known to have been involved in the campaign include: 


couliormag.com 
dgep.net 
actrarlo.com 
bassdor.com 
njbookbar.com 
ppmbiz.com 
coldland.info 
corvusrex.com 
genetocs.com 
dxemco.com 
eaddus.com 


batamam.com 
chbit.com 
fpxu.net 
frmuz.com 
shapphic.com 
skyrecs.com 
niklaselin.com 
nitrogem.com 
shangagri.com 
kawarh.net 
levb.net 
ghqd.net 
healthworldwideinc.com 
cproshq.com 
ebiotrae.com 
kasbh.net 
kavri.net 
mutw.net 
mvgu.net 
mazagi.net 
mcdat.net 
hgqk.net 
mnetbank.com 
mnmcurl.com 
snaoontool.com 
cinelon.com 
myxd.net 
nhgra.com 
eatmebay.com 
ettyproductionslimited.com 
pritebay.com 
rxmegastore.net 
mxrjeans.com 
nicademiks.com 
correbags.com 
coycerca.com 
nickjotel.com 
okadake.net 
echanblad.com 
goingles.com 


mcoot.net 
metsgee.com 


Sample known responding IPs known to have been involved in the campaign: 


34.102.136.180 
195.201.124.255 
107.151.97.149 
168.119.245.137 
198.105.254.111 
66.96.160.153 
68.233.44.100 
66.212.148.115 
173.248.130.76 
159.69.186.9 
74.81.170.110 
170.178.178.49 
210.188.195.7 
210.68.95.96 
8.5.1.51 
127.0.0.1 
170.178.178.60 
54.64.203.206 
52.69.166.231 
162.215.2.16 
23.195.69.112 
184.168.221.49 
23.217.138.112 
50.63.202.32 
208.91.198.228 
216.10.251.98 
52.73.166.177 
52.4.66.100 
54.144.21.246 
54.161.222.85 
52.204.129.22 
208.67.216.154 
107.167.19.78 
99.84 .233.54 
107.167.19.67 


208.91.197.132 
0.0.0.0 
91.195.241.136 
47.91.170.222 
174.139.3.26 
47.89.58.141 
99.84.41.128 
18.65.229.122 
198.148.92.87 
13.224.99.113 
104.27.131.221 
173.201.192.158 
114.141.58.134 
97.74.135.45 
68.178.252.222 
23.202.231.168 
23.195.69.108 
173.201.192.129 
198.105.244.74 
51.254.28.161 
199.59.243.120 
199.59.242.150 
156.234.64.26 
103.44.88.114 
156.245.15.82 
198.105.254.74 
54.197.47.156 
104.239.213.7 
198.105.244.141 
45.194.210.245 
52.20.84.62 
208.94.116.204 
103.241.230.136 
103.241.230.139 
185.181.104.82 
54.200.75.96 


Sample personally identifiable email address accounts known to have been 
involved in the campaign include: 


695225826@qq.com 
1904823@qq.com 
1260214595@qq.com 
zyj860503@163.com 
441664720@qq.com 
b86313887@126.com 
szjkdc168@163.com 
3191557@qq.com 
626968750@qq.com 
76364@qq.com 
406220911@qq.com 
1111209@qq.com 
1916682185@qq.com 
80697020@qq.com 
1276200633@qq.com 
320115888@qq.com 
50136851@qq.com 
31311604@qq.com 
695225826@qq.com 


Related domains known to have been involved in the campaign include: 


www.quhuishou.cn 

imap.tw123.net 

vshidai.com 

imap.lanalo.com 
chevrontexaco.com.cn 
mail.jukeslotselfservice.com 
vqtu.com 

mgfcw.com 

imap.s18s.com 
imap.rmeadvisors.com 
omzzwnq.lwqdaaljeocg.hath.network 
www.vantkonkelgoed.eu 
bemdbjr.onzsyzeekmpa.hath.network 
groentensoep.xyz 
tyqyikp.lwqdaaljeocg.hath.network 
canmarti.info 
ejizfds.lwqdaaljeocg.hath.network 
www.mu2020.net 


sryreie.tk 

gaihaicretatho.tk 
forum.cheatsvalley.com 
gzwimrmjotut.www.951.la 
3467fbOrpu.iloveyouvk.com 
stgz.www.51yes.com 
shoptik.parsianec.com 
ezezmbansfqrir.www.51yes.com 
7hsf.0n1.net 
1122nb.cn.k7mm.com 
qjgtyhqd.51yes.com 
gbcn.51yes.com 

parkerny.cn 
webmail.crystallighttherapy.com 
www.cqen.com 
email.anibina.com 
st.jindun.com.cn 
webmail.winwaycharts.com 
cressman.com.cn 

dhjh.wang 
email.highlineboatsales.com 
email.northcountry-auctions.com 
xn--15qy9kozbc58b.xn--vuso9br23e.com 
yobctools.com 

kdyj.toycandy.cn 
endemikbitki.com 
un3a_1.iistar.cn 
federalfleet-ca.gdn 
ccnjo.102986595.cn 
553713.xjycr.com 
bloomingtonartspace.com 
crearfotovideo.com 
f14.ac.xingdiyuan.com 
imap.lapetitefrance.ca 
0543365.com 
imap.reposuperstore.com 
ouleshi.com 

imap.singbiker.com 

hkyt.com 

ruanyi.com 


imap.araphel.com 
imap.jwrodgarage.com 
w.animalsforgood.com 
imap.connoisseurcatalog.com 
www.justorder.app 
imap.justinjoslinmedia.com 
host7.belizemotorbikes.com 
pop.francesstockton.com 
cdn.anheuser-kush.org 
tanyamarienaturals.com 
mail.allflavoredcigar.com 
imap.devenuity.com 
webmail.canvazify.com 
www.nalusunglasses.pro.nalurep.com 
webmail.aasma.com 
webmail.insangemilangschool.com 
webmail.qadeerlaws.com 
pwsmt.com 
dav.landerholmelectric.com 
webmail.ownerfinancingexperts.com 
103withwyndle.com 

297391.com 

Ips.lpyj.cn 

rbylc798.org 

g66841656.blhn.net 
bpwxumaosbx.ictstrans.com 
mgff.com.cn 
trabajaportufuturo.com 
wjmzwxgr.www.mrcp8.com 
030188.xin 
mfmjgrilgfkd.pianyiyao.cn 
wap.844353.com 
ah.trabajaportufuturo.com 
cq.wdfj.cn 
sladcrcj.www.desheng28.com 
mbejwbczefmj.v5kf.com 
Inbph.m.fczhi.com.cn 
7fb7fb39c047f9a6e82e998fa31d89b6.12.nessus.org 
web.readheartbreaker.com 
gxkxitst.m.speedftp.com.cn 


thmari.ozasi.com 
a2b5f9c1e6f575c74bae9f8949805ecb.I2.nessus.org 
app.mgdesignwashere.com 
958950.com 
1498130466878912891 .20722978-f31e-5a52-994e-5b79cd3b2932.cdb.le.tideping.com 
ccrk.com.cn 

mboss.myton.us.com 
dherzvhxrroht.lqts.net 
orohwtmjclozcfkj.ring.tengyin520.com 
zaichi.com 

pmyx.com.cn 

916096.com 

Ikljk.chimeizi.com 
staging.antholzertal.org 

fgkkj.com 
porno-tolstushki-bolshie.oboz.net 
yl42.kr74.site 
83.191.207.34.zen.spamhous.org 
8783269.com 
singaporeclassified.com 
nppnygsqv.actions.com 
gznr.zd12.site 

8709.mgkxn.cn 

637935238. invalid 
Imn.sdxdikgx.cn 
www.shdw.tmhbjnkj.com 
78363831594.zhmnb.club 
www1.publifestival.com 
jlcgllc.com 

qpb6347.work 

duhchocolate.com 

www.awmzgh. yrfpj.science 
866522477. invalid 

53631199.xyz 
www.jacksonrayfield.com 
www.pacheco.rocks 
nuro.jp.bens.systems 
install.polarisoffice.com 
reg.bargainsocks.com 
riadadraoui.com 


www.en.fm.br.com 
fcup-lap20141.epreselec.com 
www.test.inquire.us.com 
sgml-based.epreselec.com 
kb.buckeyelink.com 
mysql02.virtual-sea.com 
cbp.epreselec.com 
www.loop.cmpute.io 
314transit.com 

pch.adquire.com 
www.perolasderikardo.org 
trueblue-data.edge.bluestate.digital 
bfsadvisorygroup.com 
mrcool256.deviantart.com 
ftp.astrotec.net 
noreplystore.com 
storage.universityschools.com 
g.behealthywithgenerics.com 
caogenke.com 

gpwny.zml.com 

lasagou.com 
forum.acquisocialisgenericoitalia.net 
hangzhoujiazheng.com 
www.yourjerseys.us 
ting.zyprexaonline.org 

Iklife.com 

dfcf.com.cn 

lanikaicafe.net 

hokobox.com.ar 
tokyo-dental-navi.com 
bearlifestyle.shipping-portal.com 
forum.tsunamivictims.org 
northshorecandlecompany.wufoo.com 
matayoshiyasunao.com 
takuhai.vegepark.jp 
t87natuur.typeform.tf 
d18u4btoqq28pf.cloudfront.net 
b98.nudevista.com 
i66.photobucket.com 
huangiuyulecheng.luceng.com 


zoofiliavideosbr.com 
jm5ub.ykzyy2.com 
bibwild.wordpres.com 
old.reliancegrouphcm.com 
bdbd.blogdesignsbydani.com 
adult-hitlist.net 

www.889hei.com 
ff889p.gengb.com 

aaa.naypay.com 
xfgbsjshk723h4g82wfgdg612xmno8i8i.clothing 
cdburner.wctrucking.com 
qhwoieuqodiahart.com 
www.insptoday.com 

i3510.com 
espectaculos.valiantfamilies.com 
6635cp.com 
noghwoieugodiah.com 
www.puligi.cn 

www.116316.com 

usggquwd.belkin 

dunqing.com 
xn--hg26898-d09kr23pfm1aba.com 
www.hz122.com 
www.strawberrylane.co.nz 
hg930000.com 

wjztm.clgc88.com 
wiki.korasistemi.it 
yhuzshqzuxirkj.www.caipiaokong.com.eurekanetworks.com 
w2.takaesuauto.com 
nilamburvaruha.com 
qpylsfqdglqzexax.www.caipiaokong.com.eurekanetworks.com 
mzxkmtqnmz.linksys 
217.banksavingsaccount.com 
iskIcluiyefw.com 
47.bikesomerset.com 
www.decoriblca. it 
xonverterdhack.com 
imap.buygtahomes.ca 
snoopy.bergman-jewelers.com 
pop.designnews.ca 


244642.evzwgrq.com 

xpujil.online 

fn.yaqbzwho.com.cn 
kiqyqvjpgli.delphi.spectra-inc.com 
www.jhsktq.cn 
twiki.bestwesternoceancitymaryland.com 
vtlloktwnzfe.tlc.ms 
newmail.etblack.com 
ttz.yaqbzwho.com.cn 
postmaster.saispoorthi.org 
gymjffbj.com 

bjfqgj.com 

reconil.com 
d2gwil7ahlv1v2w.cloudfront.net 
www.reliablemed-supplier.com 
cms.nhl.bamgrid.com 
glenct.www.boxun.com 
land.leagueofkingdoms.com 
krausenet.net 
164-8.shared-ti-ebitool.test.traveloka.com 
pills-100mg-viagra.com 
www.nupornpics.com 
vaipharmacy.net 

wateryink.com 
instacart.latticehg.com 
bmbagbdieqfzjce.www.boxun.com 
supernicolette.com 
go.cymbaltacost.eu 
mailgw.zoominfo.eu 
stage.comprar-viagra-generico.net 
barracuda.cyberonline.de 
alpha.ieuropepharmacy.com 
gznq.top 

relay2.infodep.com 

gqb.com.cn 

mx.mx.mx.gotway.de 
peru.pharmacywalmart.com 
app.ninjavideo.net 

www.dqiw.com 
weboutlook.jingdan.com 


waqtsx.com 

Irs.cn 

ftp.geebeegems.com 

kfls.cn 

support.codebyus.com 

knlicai.com 

ftp.mvgu.net 

kids.onecargo.com 

tongpiaobao.com 

nasstk2.slampoker.com 

pxc.com 

webmail.codebyus.com 

wp.mvgu.org 

i2.playtegra.com 

229332.com 
yrmreeyfglt.gerontologydirectory.com 
at-zodiac-casino.smartcode.com 
f7bf255cbb4e4322b88fb8cceaebe8cd.com 
wtadebizytclyp.pay.jinnuyule.cc 
bd0e7a99623e494ca5232ae39338d115.com 
8dj.com 

ryhxck. ltd 

whkbezqzydwnit.gg05.xdmcn.com 
34d1679970e34aeb85dd602152e39749.com 
jsairs.com 

sgpjj.top 

C1c.xyz 

1vxt3g.top 

k8vif92e-bb0743bd1dc076922aa1 95f5b989e0348f67e85e-mob.d.aa.online-metrix.net 
1832cd9cd53e4462a6dbe781c4b9a21b.com 
tapestry.tapad.com.3.gnliv712yzuo0.31.prx.useast.v1api.securly.com 
8bfd0301523e4a58a08e7331b857ad8e.com 
slpfudeuqxwab.x99moyu.net 
serenapryne.com 

osmantascioglu.com 
plwuqzxtaymagx.x99moyu.net 
rrx68giz-3beb4 1f0ce3d04f8e3e114797bf28a2e3e6252a2-mob.d.aa.online-metrix.net 
cpanel.lingayathkalyanatrust.org 
webdisk.skyrecsmail.com 

ghqd.net 


ns2.skyrecs.com 
www.oxieg.com 
www.astropalm.in 
server.lingayathkalyanatrust.org 
www.qkxx.net 

oxieg.com 

mybvg.com 
webmail.malletti.co.uk 
vc6164dp3v8r3yt5s9yotdbisv1959.ipcheker.com 
webmail.ubsecurity.mn 
xn--thhngwww-yq4c.nhincuoi.com 
webmail.educrafter.in 
ecizz.728win.incomedinner.xyz 
webmail.quecasinoonline.com 
webmail.brainpillars.com 
mobasher.eb2a.com 
afkcvcw.club.daobomian.com 
www.qa.tablesawattorney.com 
webdocs.wjglobalit.com 
www.51wps.com 

bsjqc.com 

www.jxry360.com 
greenwichcountry.com 
art.southernprecisionbearings.com 
dgtvu.com 

mukuai.com 

113125.zrpdc8.com 
gretatattoos.com 
tracker.nationalplumbingheating.com 
onnuparanjotte.com 
www.imperialresearching.com 
dike99.org 
lisadaveyinteriors.com 
xn--www-w06e.78ck.com 
xn--www-8649417m.777217.info 
zakatmuslim.com 
pakistan66.ahsrorservice.com 
nr.tosystems.com 
renegadepaintballpark.net 
dor.gegnas.com 


ns1.linkupcentral.com 
legis.laurusstrategies.com 

ids.msplaw.com 

kirinlight.com 

clinched.net 

shitfact.com 

focase.com 

groovynerd.com 
b25117b2cb574277a1f75bf931a29ba9.com 
gosolarne.com 

wdqx.show.xingqiu.tv 

junanwang.com 

paulamo.com 
a/67942684a34ddcb29a1c6800b2911a.com 
climaxtoystore.com 

localtisic.com 


We'll continue monitoring the campaign and will post updates as soon as new 
developments take place. 


